deps: modernize all dependencies (python, terraform, helm, images, CI)#131
deps: modernize all dependencies (python, terraform, helm, images, CI)#131oferk0 wants to merge 10 commits into
Conversation
Bump all runtime and dev dependencies in tools/pyproject.toml to latest stable releases and regenerate poetry.lock. Notable major bumps: kubernetes 27->36, hvac 1->2, PyInstaller 5->6, azure-mgmt-* (storage/ compute/containerservice), configparser 6->7, google-cloud-storage 2->3, boto3/awscli to 1.43/1.45, flake8 6->7. Raise Python ceiling to <3.14 and migrate dev-dependencies to the [tool.poetry.group.dev] table. Fix breaking changes surfaced by the upgrade: - azure-mgmt-storage 25 removed the pinned v2021_04_01 API module; import SkuName/Kind from azure.mgmt.storage.models instead. - setuptools 82 removed pkg_resources; resolve the bundled kubeconfig.yaml via importlib.resources (verified in the PyInstaller frozen binary). - pin anyio >=4.9 so httpx-ws (via kr8s) finds AsyncContextManagerMixin. Verified: poetry lock/install, cgdevxcli + all subcommands import, flake8 runs, PyInstaller build produces a working frozen binary that resolves the bundled resource.
Pin previously-unpinned providers and bump everything to latest stable
within the constraints validated below. Each root/module was verified with
terraform init -upgrade + terraform validate (1.8.2 locally).
Providers:
- aws: pin to >= 5.0, < 6.0 (latest 5.100). Held at 5.x because EKS module
v20 requires aws < 6.0; aws 6.x needs EKS v21 (declined as too risky).
- azurerm ~>3.86 -> ~> 4.0 (4.78). Fixed v4 breaking changes: subnet
private_endpoint_network_policies_enabled (bool) -> private_endpoint_
network_policies ("Disabled"); AKS enable_auto_scaling/enable_host_
encryption/enable_node_public_ip -> *_enabled renames; removed the now-
implicit arg from azure_active_directory_role_based_access_control;
key_vault enable_rbac_authorization -> rbac_authorization_enabled.
- google ~>5.45 -> ~> 6.0 (6.50). Held at 6.x because the pinned GKE module
(kubernetes-engine 34.0.0) caps google < 7.0; google 7 needs the 34->44
module rewrite (mirrors the EKS-v21 decision).
- harbor / sonarqube / restapi / vault: were unpinned; pinned to ~> 3.0 /
~> 0.16 / ~> 3.0 / ~> 5.0 (latest majors).
- kubernetes >= 2.10 -> >= 2.20, < 4.0 (resolves to 3.2).
- random ~>3.5.1 -> ~> 3.9.
- github provider 5.42 -> 6.0, gitlab provider 18.2 -> 19.1 (via const.py).
Fixed gitlab v19 breaking changes in the repository module: gitlab_project
issues_enabled -> issues_access_level; gitlab_branch_protection
allowed_to_push nested block -> list attribute.
Modules:
- EKS module ~>19.16 -> ~> 20.37. Migrated off the removed create/manage_aws_
auth_configmap to authentication_mode = API_AND_CONFIG_MAP +
enable_cluster_creator_admin_permissions (Access Entries). IAM IRSA module
held at ~>5.58 (v6 requires aws >= 6.28, incompatible with EKS v20 + aws 5).
- VPC module ~> 5.0 -> ~> 5.21.
CLI const.py: TERRAFORM_VERSION 1.6.4 -> 1.15.6, KUBECTL_VERSION 1.33.1 ->
1.33.13 (cluster default is 1.32; kubectl stays within +1 skew).
NOTE: validate-only. The AWS/Azure/GCP modules cannot be terraform-plan'd
without live cloud credentials + state; the EKS v20 Access Entry migration
in particular needs a reviewed plan before apply.
Bump every core-services Helm chart targetRevision (and the matching cg-devx.metadata chart-version/version labels) to latest stable, and bump the bundled ArgoCD install from v2.14.12 to v3.4.4. Each chart was verified by rendering it with helm template at the new version using the Application's own inline values (29/29 render clean); the ArgoCD kustomize base was verified with kubectl kustomize (71 resources, image v3.4.4). Notable bumps: kube-prometheus-stack 72.6.2 -> 87.1.0 and prometheus- operator-crds 20.0.0 -> 30.0.0 (kept in lockstep, both app v0.92.0); external-secrets 0.16.0 -> 2.6.0; vault 0.26.1 -> 0.33.0; velero 7.2.1 -> 12.0.3; loki 6.30.0 -> 7.0.0; harbor 1.16.3 -> 1.19.1; cert-manager 1.17.2 -> 1.20.2; ingress-nginx 4.12.2 -> 4.15.1; argo-workflows 0.45.15 -> 1.0.17; backstage 1.6.0 -> 2.8.2; kyverno + kyverno-policies 3.4.1 -> 3.8.x (lockstep); keda 2.17.1 -> 2.20.1; trivy-operator 0.28.1 -> 0.33.2; gpu-operator 24.3.0 -> 26.3.2; cluster-autoscaler 9.46.6 -> 9.58.0; gitlab-runner 0.77.2 -> 0.90.0; plus atlantis, tracee, external-dns, reloader, promtail, perfectscale exporter/psc-autoscaler. Values migrations required by the upgrades: - backstage v2 chart: removed image.debug (rejected by the chart schema). Held at the latest patch of the current major line rather than jumping a disruptive product/transitional release (same conservative rationale as the EKS/aws and GKE/google decisions): - kubecost cost-analyzer -> 2.8.6 (2.9.x is a transitional 'agent upgrade prep' release that intentionally refuses to render; no 3.x exists yet). - sonarqube -> 10.8.1 (the chart's 2025/2026 calendar-versioned line is a SonarQube product-major change that also breaks the pinned plugin set and adds a required monitoringPasscode secret). NOTE: helm template confirms each chart renders with its values, but does not flag value keys silently dropped across major versions. Each app should be reviewed against its upstream upgrade notes via the ArgoCD diff before sync.
Pin the three images that used :latest so deployments are reproducible: - oauth2-proxy: quay.io/oauth2-proxy/oauth2-proxy:latest -> v7.15.3 - ARC runner: summerwind/actions-runner:latest -> v2.335.1-ubuntu-24.04 - velero wait Job: registry.hub.docker.com/bitnami/kubectl:latest -> rancher/kubectl:v1.33.12. Bitnami's free Docker Hub catalog was deprecated and its versioned kubectl tags now 404, so this switches to the maintained rancher/kubectl image pinned to the 1.33 cluster line.
- actions/checkout v3 -> v7 - actions/setup-python v4 -> v6 - ncipollo/release-action stays at v1 (already the latest major, v1.21.0) - workflow input defaults: Python 3.12.2 -> 3.12 (resolve latest patch), Poetry 1.8.2 -> 2.4.1 (latest stable) Add .github/dependabot.yml to keep pip (tools), github-actions, and terraform providers/modules updated weekly so the dependency set does not fall behind again.
deps(python): upgrade CLI dependencies to latest stable
deps(terraform): upgrade providers, modules & pinned tool versions
deps(helm): upgrade ArgoCD & core-services chart versions
deps(images): pin floating :latest image tags
deps(ci): bump GitHub Actions & add Dependabot
|
Warning Review limit reached
More reviews will be available in 49 minutes and 49 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate. For paid Pro and Pro+ PR reviews, CodeRabbit uses rolling per-developer review limits. Reviews become available again as older review attempts age out of the rolling limit window. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (50)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Integration branch bundling the dependency modernization across all 5 layers. Each layer was reviewed/merged as its own PR on the fork (oferk0/cg-devx-core #1–5).
pkg_resourcesremoval, anyio floor. Verified: lock+install, frozen binary.init -upgrade+validate;helm template;:latesttags.Layers touch disjoint files; k8s spine consistent (cluster 1.32 → kubectl 1.33 → client 36).